Identification card solutions provider, Multicard, has been found to have leaked the personal information of approximately 9,000 maritime security identity card (MSIC) applicants online.

The Office of the Australian Information Commission (OAIC) found that Multicard stored personal information on a publicly accessible web server without appropriate security controls to prevent unauthorised access.

The personal information was discoverable via Google search over a four month period. As a result, at least one unidentified unauthorised third party accessed and downloaded the information.

Australian Privacy Commissioner Timothy Pilgrim said Multicard failed to take reasonable steps to ensure the security of the personal information it held.

"The OAIC’s investigation found that Multicard failed to implement a number of basic security measures which resulted in a large amount of personal information being exposed. This was a data breach that could have easily been avoided," he said.

OAIC was initially informed about the data breach in January 2014 by the Office of Transport Security. It resulted in personal information, including first and last names, dates of birth, addresses, partial credit card numbers and expiry dates, and photographs being made publicly accessible online.

"I urge all organisations to carefully consider what security safeguards they have in place to protect the personal information they hold," Pilgrim. "It was disappointing to find that, amongst other issues, there was no requirement for a password, username or other authenticator to establish the identity of the user before the information could be accessed."

However, the Commissioner found that Multicard acted appropriately to contain the data breach by immediately disabling its website and restricting access. Since the data breach, Multicard has appointed an independent auditor and taken a number of steps to improve its information security.